Trust and Internet Identity Meeting Europe
5-6 Feb 2018: Workshops and Tutorials
7-8 Feb 2018: Unconference

TIIME 2018: Shib IdP authentication

(Thomas Bärecke)

Thomas: We at switch have been for a long time nearly completely Microsoft free environment. Now we have been a full mesh federation, and this is going to change, a central IDP for all unis to have an account at switch and we need to incorporate systems at university and that is with microsoft solutions. Switchedu ID is shibolet, soft saml. I have been talking to universities that do access on sharepoint with link to ship (?) ID, if it works in all context I don’t know. I am interested to hear your input on your solutions.

Mads: Civil IDP towards Microsoft thing? It’s a hack and not nice. We have some services and ADFS and they chose saml and then we have a HUB here and we talk saml.

T: Does SSO work on different pages of sharepoint? I was told that the ADFS doesn’t have a session in this sense. That could probably be configured or? M: YOu can go with our guest system, the problem we discovered is that

M: They didn’t get the expected attributes. Its possible to use ADFS as a proxy, but it’s a hack. We start by registering Y (the second SP) then we register a small service to ADFS as SSO and then we look at the (where the hack comes in) refer headers in the request that comes down here. So we fix the request so that it looks like it comes from the one originally sending it. And then we send the result to the other one. But you have to do one thing. We told them we don’t like this solution one if which could be to implement something at our side. They were in a hurry because they were publishing the Y SP. SO it does work.

T: They didn’t have this hack in Switzerland so when I came they were lost.

Matthew: This is the version 1. We are a VO operator. We need to be able to access our research projects. In version 1 there were several challenges. We made a common SP. The eduGain metadata feed that we had to get into a n ADFS that was the first challenge. The second was to get the necessary attributes into Comanage. There is the authentication data and authorization data, providing the data was easy. The claims with their ID, list of rules, common name and mail address. Sharepoint can do that without any problems. We used the metadata query server that did that. I had a powershell script hat took the metadata feed and create or destroy CP trusts and if you look at the github in the wiki they are operating with ADFS. That’s everything you need to know for putting an ADFS SP into a federation. I assume that switch is maintaining the metadata aggregate. To do that you can write claim acceptance transform rule. For each of these trusts they are running (as long as there is a scope) a scope check. The Microsoft default discovery page is garbage. We work with Scott to adapt the Shiboleth discovery service as a custom ADSF theme, when you hit the discovery page, it would look similar to the ADS. the URL for that is If you get the data to work, the authorization to work and its smart, it uses the notes field with an unique tag so that it can run later. if it sees a trust that is not in the MDQ entity list.

That gets the authentication stuff working. I don’t know if this is public and underneath comanage is openldap and under that is a shiv IDP configured as an shib authority. That’s how we got it into the ADFS. As long as the IP is asserted an EPPN.

The model 2: we still have comanage, openldap and ADFS and sharepoint and ADFS and sharepoint and ADFS and sharepoint. We got three of these things. And Satosa and edugain over here. Now we still get the authentication data from edugain and as far as teh rest of the world things they see the satosa SP. Here is our authorization data. VO upn is member of cn, mail. All coming from comanage and then we translate that into share point. If I wasn’t doing this within the context of a virtual organisation my recommendation would be to put something in front of ADFS. It could be satosa but it’s kind of hard to do. I am not ready to tell people how to run it. I have to lean on Scott for satosa. Simple SAML php is a great proxy. It has lots of plugins for great services. ITreat it as saml to ADFS protocol standard. I would get ADFS out of the picture. You tell the relying party in this scenario we hide that active directory in our custom embedded service. In this we can tell adfs to just use this one identity provider. Ideally, I’ve heard of people using simple saml php instead of ADFS. I would use simple saml php as a proxy.

Henri ( has achieved SSO to Office365 with Shibboleth IdP 3 (no AD) - The IdM system connected to Shibboleth IdP knows the immutableID (at Azure AD), needed to the SAML assertions

T: We would have about 25 sharepoint instances in Switzerland. You could manipulate on the saml php and pass whatever you need or do it this way as different ADFS’.

Slavek: You can’t create mailboxes with that, we have an API which is good enough but slow and microsoft and start denying our requests if you’re doing too many of them. The rest api which is not complete and also slow.

T: We could have 400k euros for the education, we want to migrate them all to our central IDP and today we have 350k accounts. S: Usually we just do the incremental stuff, but the synchronisation might take a while. We have 50k accounts.

M: I would still recommend a proxy in front of the ADFS to interact with the federation. You don’t have to do anything extra this way. I would just put a proxy in front of a proxy in front of sharepoint if I was to do it all over again. I thought ADFS 2016 would be radically better but I set it up last night and you can consume metadata aggregate but that’s it. All the other problems like scope checking are still there and you just skip it. That means you have to run another instance but figure out how to do the server nano version of that and run in docker and be done with it.

T: To summarize it, either you can adapt adfs with scripting or you put a proxy in front of it.

M: I am interested how you edited the xml. Mads: it was because we had multiple ones